Feng HaoDepartment of Computer ScienceUniversity of Warwick, UK

PhD and post-doc posts available for 2019. Contact me for more details.

About me

I'm a Professor of Security Engineering at the Department of Computer Science, University of Warwick. I
graduated with a PhD from the Security Group
(where I still have my old badge), at
the Computer Laboratory, University of Cambridge, under the joint
supervision of Prof Ross
Anderson and Prof John
Daugman. I had six years working experience in security industry with a CISSP
before joining Newcastle University Computing Science as a lecturer in December 2010. With Peter Ryan, we co-edited a
book "Real-World Electronic Voting: Design, Analysis and Deployment"
(2016, CRC
Press, in Amazon).

My research interest (and that of my research team) is primarily driven by
tackling real-world security problems. With my former PhD advisers (Ross Anderson and John Daugman), I
proposed the first secure solution to combine iris biometrics and cryptography, the two complementary
security technologies. Our paper "Combining crypto with biometrics effectively" (IEEE Trans. on Computers, 2006)
is ranked the top among the Google Scholar Classic Papers in the category of Computer Security & Cryptography. With colleagues, I designed a
few cryptographic protocols: AV-net (so far the most efficient
solution to the Dining Cryptographers problem), YAK (a PKI-based authenticated key exchange protocol that has stood against all attacks since 2010), J-PAKE (a password authenticated
key exchange protocol that has been deployed to several million
Internet users in the real world, adopted as an industry standard for IoT, and accepted as an international standard in
ISO/IEC 11770-4), Open Vote
network (so far the most efficient decentralized e-voting
protocol in every aspect including rounds, computation and bandwidth), DRE-i
(the first E2E verifiable e-voting system without tallying authorities) and
DRE-ip
(an alternative design to DRE-i based on a different real-time computation strategy; see YouTube demo).
So far, none of these protocols have been
broken. Besides designing secure protocols, I cryptanalyze insecure protocols. With Siamak
Shahandashti, we found and fixed security weaknesses in SPEKE, a
password-authenticated key exchange protocol that has been
standardized in IEEE P1363.2 and ISO/IEC 11770-4. The attacks have
been acknowledged by ISO/IEC SC 27 Work Group 2 and the standard has been
revised in 2017 to incorporate our proposed fix.

Some of the protocols that we designed have been applied in
practice. In particular, J-PAKE (see blog)
has been used in Firefox remote control service
(YouTube demo),
Firefox sync 1.1
(YouTube demo),
Palemoon sync,
NXP Thread
(YouTube demo),
ARM mbed,
OpenThread (YouTube demo),
Nest Guard,
Nest Detect,
Bouncycastle,
and adopted by
Thread Group
(white paper)
as an open industry standard for the IoT commissining process
(YouTube tutorial),
and standardized internationally in
ISO/IEC 11770-4:2017
and in
RFC 8236 (together with
RFC 8235).
An independent study on the security of J-PAKE was presented by
Abdalla, Benhamouda and MacKenzie in IEEE S&P 2015 (YouTube presentation).
A verifiable classroom voting
system based on the DRE-i protocol has been developed and
subsequently trialed in real classroom teaching with positive student
feedback. The DRE-i protocol represents the first step in exploring
a new generation of e-voting protocols that are end-to-end verifiable
and also free from any tallying authority. I call this new direction
as "Self-Enforcing Electronic Voting" (SEEV). In 2012, I was awarded a
1.5 million euros ERC
starting grant to support my further investigation on SEEV (one of
the 7 such awards in computer science in the UK, and 34 in total in
the Europe), and in 2015, a follow-up ERC
Proof of Concept grant to support commercialization of SEEV (one
of the 45 awards in Europe in all subjects, and the only one in the UK
in computer science; overall, only 4% of the ERC projects have produced a PoC grant).

Finally, I have a general interest in designing efficient computing algorithms.
I modified the classic Dynamic Programming algorithm to make it more suitable for handwritten signature
verification. I worked with John Daugman, the original inventor of iris recognition, and designed a
fast search algorithm for iris recognition, which achieves a substantial speed-up over the traditional
exhaustive search algorithm with a negligible loss of accuracy.

Publications

I'm fond of security research that is new, useful and diverse. I am a believer of Roger Needham's maxim: "Good research comes from tackling real problems". I love mathematics but I dislike seeing it overused to make papers look hyper-fancy.

This paper presents a new 2-round MPC protocol called PriVeto to compute the boolean-OR function. Compared with AV-net, PriVeto requires all participants to commit ther inputs in the first round instead of in the second round. It prevents the last paricipant in the second round from making any run-time change and limits every participant to learn nothing more than their own input and the final output.

This is a journal version of our SSR'14 paper. It extends the earlier conference paper by adding a formal analysis of the patched SPEKE, and details of how our proposed patch is accepted and published in the latest ISO/IEC 11770-4 (2017) standard.

This paper presents the first practical verifiable classroom voting (VCV) system, which has been used regularly in real classroom teaching, as well as academic prize competitions, in Newcastle University with positive user feedback since 2013. This paper lays the ground work for my 2015 ERC Proof of Concept grant.

This RFC describes J-PAKE, which is a password-authenticated key exchange protocol first published at SPW'08 (Hao, Ryan). In 2008, I wrote a blog asking for public scrutiny on the security of J-PAKE. Ten years on, the J-PAKE protocol has stood against all known attacks.

This RFC describes Schnorr NIZK, which is an important Zero Knowledge Proof (ZKP) primitive. This technique is used in J-PAKE, but it is described in a standalone RFC as it is generally useful, e.g., also used in AV-net, YAK and OV-net.

This paper presents the first implementation of a decentralized Internet voting protocol with maximum voter privacy over Ethereum's blockchain. It lays the technical basis for Newcastle University's solution that won 3rd place in the 2016 Economist Cybersecurity Challenge. This work is featured in CoinDesk.

This paper highlights the card-collision problem in NFC payments, the inconsistency between the current NFC terminal implementation and the EMV specification, and how that inconsistency may be exploited by an attacker to compromise the user privacy during contactless payments.

This paper presents a new "self-enforcing e-voting" system called DRE-ip. Similar to DRE-i (Hao et al. USENIX JETS 2014), DRE-ip provides end-to-end (E2E) verifiability without tallying authorities. But, instead of using pre-computation as in DRE-i, DRE-ip opts for real-time computation, and hence has the advantage in providing stronger guarantee on ballot privacy. Both protocols can be generically implemented for Internet voting as well as polling station voting. However, due to the different underlying computation strategies, DRE-i is particularly suitable for Internet voting while DRE-ip is more suitable for polling station voting.

This paper presents an improved attack (over our earlier work) on stealing the user's PINs via mobile sensors. It further presents a user study to evaluate the user awareness of the data leakage problem caused by the sensors. The results indicate that users are generally not aware of the data generated by sensors and how that data might be used to undermine security and privacy.

It
presents two attacks on the standard BIP70 Bitcoin Payment protocol
and a countermeasure. Both attacks and the countermeasure have been
acknowledged by the two largest Bitcoin processors, Bitpay and
Coinbase.

It reports a signficiant security flaw in the current
specification of W3C regarding the JavaScript's unrestricted access to
the sensor data in a browser on a mobile phone. The W3C community and
major browser vendors (Mozilla, Google, Apple, Opera) have
acknowledged our work and are implementing some of our suggested
countermeasuers. This paper is a journal version of the one presented
earlier at ASIACCS'15.

This paper presents a new solution on preventing Mafia attacks in
NFC payment by leveraging the highly correlated vibrations induced by
physical tapping between two NFC-enabled devices. Our solution is
arguably simpler and more cost-effective than previous solutions that
are usually based on distance bounding or ambient environment
measurements.

It proposes
a new category of authenticated key exchange (AKE) protocols, which
bootstrap trust entirely from the block chain (as opposed to PKI or
shared passwords). This work fills in an important gap, which is currently
not covered by any key exchange standards (e.g., IEEE, ISO/IEC).

It presents J-PAKE+ and SPEKE+, the group variants of J-PAKE
and SPEKE (both of which have been used in practical applications). Our work
establishes a new record of round efficiency for Group PAKE, and is
close to the best achievable that one may hope for.

It presents the first attack on breaching privacy of a mobile user
via JavaScript, which, in contrast to all previous app-based attacks,
does not require installing any software (app) on the user's device,
and hence is potentially more dangerous.

It points out two security issues with the SPEKE protocol, as
currently defined in the IEEE P1363.2 and ISO/IEC 11770-4 standards,
and also proposes a solution to address the attacks. Both attacks
have been acknowledged by the technical commiteee in ISO/IEC SC 27, work group 2, with
our proposed fix being included into ISO/IEC 11770-4 standard.

This paper lays the foundation for my 2012
ERC starting grant on "self-enforcing e-voting". It challenges the
traditional view on the role of trustworthy tallying authorities in
E2E verifiable voting protocols and argues if such a role is as
indispensable as many have believed over the past twenty years. Since
the initial publication as an IACR report in 2010, the
paper was repeatedly rejected by top conferences in the security field. In the final
acceptance in 2014, the basic DRE-i protocol remains unchanged from
its initial specification in 2010.

It
presents a comprehensive security analysis of the current state of
private browsing as implemented in major browsers. The testing
software is released here
as open source. Some identified issues have been acknowledged by
browser vendors and fixed accordingly in newer versions of browsers
(see the extended journal
version of the paper for details).

It points out that the omission of public key
validation renders the Dragonfly protocol (a recent Internet
draft submitted to IETF) completely insecure. Our attack has
been acknowledged and fixed accordingly in the newer
version of the Dragonfly specification in IETF and the final RFC publication.

It is a journal version of the J-PAKE paper, which was first presented at SPW'08. Since 2015, J-PAKE
has been adopted by the Thread Group (an IoT consortium including ARM, Google Nest, Samsung, NXP, Qualcomm, Silicon Labs, Yale etc)
as a stanard key establishment mechanisim to bootrap the initial trust for adding a new IoT device to a Thread network.
The Thread commissioning protocol based on J-PAKE can be found on the Thread Group website.

It presents two new attacks on the HMQV protocol (a candidate being standardized by IEEE P1363). These attacks highlight the caution one should take when interpreting the provable results from a formal model. The attacks were discussed by IEEE P1363 Working Group in 2010, and since then the standardization of HMQV in IEEE P1363 has been paused. The paper also presents a new authenticated key agreement protocol called YAK. The YAK protocol is by far the simplest public-key authenticated key exchange protocol, and arguably one of the most robust. The paper forms one important ground work for my 2012 EPSRC First Grant; see the journal version of the paper here.

It shows a counter-example to explain that the claim about the on-line dictionary attack resistance in SRP-6 is not valid. This does not threaten the practical security of SRP-6, but serves to highlight the risk of making heuristic claims without any proof.

It presents a decentralized e-voting scheme called Open Vote Network. Our scheme is more efficient than the previous Kiayias-Yung (PKC'02) and Groth (FC'04) solutions in every aspect, including the number of rounds, the computational load and the bandwidth usage.
A proof-of-concept implementation of the Open Vote Network over the Ethereum blockchain won the third place in the 2016 Economist Cybersecurity Challenge.

It proposes a crypto protocol called Password Authenticated Key Exchange by Juggling (J-PAKE). Compared with EKE (patented by Lucent
Technologies) and SPEKE (patented by Phoenix Technologies), J-PAKE has clear advantages in security with comparable efficiency.
As of Oct 2014, J-PAKE has been adopted by the ISO/IEC 11770-4 standard, included into OpenSSL, Bouncycastle API, and used in commercial applications such as browser sync and Google Nest thermostats.

It proposes the first practical and secure way to integrate the iris biometric into cryptographic applications. This paper
tops the Google Scholar Classic Papers in the category of Computer Security & Cryptography. The Google Scholar Classic Papers are released by Google in June 2017 as a collection of highly-cited papers in their area of research that were published 10 years ago and have stood the test of time.

My PhD dissertation completed within three years with three papers published on high-ranking journals (IEEE/Springer Transactions) covering three different research topics.
It's probably the shortest dissertation among those submitted by PhD graduates in the computer laboratory. See all technical reports.

A blog set up to facilitate two-way communication: 1) to disseminate our research results to people outside Newcastle University; 2) to allow anyone to freely comment, scrutinize and criticize our work.